CHAPTER 9

Mathematics of Cryptography: Part 3

(Solution to Old-Numbered Problems)

Review Questions
1. A positive integer is a prime if and only if it is exactly divisible by two integers, 1
and itself. A composite is a positive integer with more than two divisors.
3.
a. The function π(n) finds the number of primes smaller than or equal to n.
b. Euler’s phi-function, φ(n), which is sometimes called the Euler’s totient func-
tion, finds the number of integers that are both smaller than n and relatively
prime to n.
5. We discussed two versions of Fermat’s little theorem. The first version says that if
p is a prime and a is an integer such that p does not divide a, then we have ap−1 ≡
1(mod p). The second Version removes the condition on a. It says that if p is a
prime and a is an integer, then ap ≡ a (mod p). Two immediate applications of this
theorem is to find solutions to exponentiation and multiplicative inverses when the
modulus is a prime.
7.
a. Mersenne defined the formula Mp = 2p − 1 that was supposed to enumerate all
primes. However, not all Mersenne numbers are primes.
b. Fermat defined the formula Fn = 22n + 1 that was supposed to enumerate all
primes. However, not all Fermat’s numbers are primes.
9. We mentioned the trial-division, Fermat, Polard p − 1, Polard rho, quadratic sieve,
and number field sieve.
11. A quadratic congruence is an equations of the form a2x2 + a1x + a0 ≡ 0 (mod n). In
this text, we have limited our discussion to equations of the form x2 ≡ a (mod n).
In this equation a is called a quadratic residue (QR) if the equation has two solu-
tions; a is called quadratic nonresidue (QNR) if the equation has no solutions.

1
 2

Exercises
13.
a. The number of primes between 100,000 and 200,000 can be found as
π(200,000) − π(100,000). Using the upper and lower limits devised by Gauss
and Lagrange, we have
16385 < π(200,000) < 17985 → π(200,000) ≈ 17200
8688 < π(100,000) < 9587 → π(100,000) ≈ 9138
π(200,000) − π(100,000) ≈ 17200 − 9138 ≈ 8062

b. The number of composites between 100,000 and 200,000 is

100,000 − 8062 ≈ 91938

c. The ratio of primes to composites in the above range is 8062/91938 or approxi-

mately 8.77 percent. This ratio for numbers between 1 to 10 (without considering 1 and
10) is 4/4 or 100 percent.
15. When an integer is divided by 4, the remainder is either 0, 1, 2, or 3. This means
that an integer can be written as (4k + 0), (4k + 1), (4k + 2), or (4k + 3), in which k
is the quotient. An integer in the form (4k + 0) or 4k is not a prime because it is
divisible by 4. An integer in the form (4k + 2) can be a prime only if k = 0 (the inte-
ger is 2 and it is the first prime). The other two forms, (4k + 1) and (4k + 3), can
represent a prime or a composite. This means that any prime can be either in the
form of (4k + 1) or (4k + 3). However, this does not mean that any integer in one of
these forms is a prime.
17.
a. φ(29) = 29 − 1 = 28 (29 is a prime)
b. φ(32) = φ(25 5 4
) = 2 − 2 = 16 (2 is a prime)
c. φ(80) = φ(2 × 51) = (24 − 23) × (51 − 50) = 8 × 4 = 32
4
(2 and 5 are primes)
2 × 52) = (22 − 21) × (52 − 51) = 2
d. φ(100) = φ(2 × 20 = 40 (2 and 5 are primes)
e. φ(101) = 101 − 1 = 100 (101 is a primes)
19. We have (10 = 3 + 7), (24 = 11 + 13), (28 = 11 + 17), and (100 = 11 + 89).
21.
a.
(515 mod 13) = [(52 mod 13) × (513 mod 13)] mod 13
= [(−1 mod 13) × (5 mod 13)] mod 13 = −5 mod 13 = 8 mod 13

b.
(1518 mod 17) = [(15 mod 17) × (1517 mod 17)] mod 17
= [(−2 mod 17) × (−2 mod 17)] mod 17 = 4 mod 17

c.
 3

(45617 mod 17) = (456 mod 17) = 14 mod 17

d.
(145102 mod 101) = [(145101 mod 101) × (145 mod 101)] mod 101
= [145 ×145] mod 101 = [44 × 44] mod 101 = 17 mod 101

23. We know that if n is an integer, x−1 mod n = xφ(n) − 1 mod n.

a.
12−1 mod 77 = 12φ(77) −1 mod 77 = 1259 mod 77 = 45 mod 77

b.
16−1 mod 323 = 16φ(323) −1 mod 323 = 16287 mod 323 = 101 mod 323

c.
20−1 mod 403 = 20φ(403) −1 mod 403 = 20359 mod 403 = 262 mod 403

d.
44−1 mod 667 = 44φ(667) −1 mod 667 = 44615 mod 667 = 379 mod 667

25. It can be checked that if 2n − 1 is a prime, then n is a prime. However, there are
some values of n for which 2n − 1 is a composite, but n is a prime (n = 11, for
example). In other words, if n is a prime, 2n − 1 may or may not be a prime; if 2n −
1 is a prime, then n is a prime. This is to say that not all Mersenne numbers are
primes. Since Mersenne’s idea cannot be used for primality test, the fact stated in
this problem cannot be used for primality test.
22 − 1 = 3 is a prime → n = 2 is a prime
23 − 1 = 7 is a prime → n = 3 is a prime
24 − 1 = 15 = 3 × 5 is a composite → n = 4 is a composite
25 − 1 = 31 is a prime → n = 5 is a prime
26 − 1 = 63 = 3 × 5 is a composite → n = 6 is a composite
27 − 1 = 127 is a prime → n = 7 is a prime
28 − 1 = 255 = 5 × 51 is a composite → n = 8 is a composite
29 − 1 = 511 = 7 × 73 is a composite → n = 9 is a composite
210 − 1 = 1023 = 3 × 341 is a composite → n = 10 is a composite
211 − 1 = 2047 = 23 × 89 is a composite → n = 11 is a prime

27. The flow in the Miller-Rabin algorithm may be better understood using the chart in
Figure S9.27. We follow the chart in each case.
 4

Figure S9.27 Solution to Exercise 27

Choose a base

Find m and k

T am mod n

[T = +
− 1] Pseudoprime
Loop

T T2 mod n

[T = +
− 1] [All k’s tested?]
T = +1: Composite
T = −1: Pseudoprime Composite

a. n = 100 → 100 − 1 = 99 × 20 → m = 99 and k = 0.

Pre-loop → T = 299 mod 100 = 88
Loop is by-passed because k = 0 → Composite (100 is an even integer)

b. n = 109 → 109 − 1 = 27 × 22 → m = 27 and k = 2.

Pre-loop → T = 227 mod 109 = 33
k =1 → T = T2 mod 109 = 108 mod 109 = (−1) mod 109
Loop is broken because T = −1 → Pseudoprime (109 is actually a prime)

c. n = 201 → 201 − 1 = 25 × 23 → m = 27 and k = 3.

Pre-loop → T = 225 mod 201 = 95
k =1 → T = T2 mod 201 = 181 mod 201
k =2 → T = T2 mod 201 = 199 mod 201
Loop is terminated → Composite (201 = 3 × 67)

d. n = 271 → 271 − 1 = 135 × 21 → m = 135 and k = 1.

Pre-loop → T = 2135 mod 271 = 1 mod 271
T = +1 in the initialization step → Pseudoprime (271 is actually a prime)

e. n = 341 → 341 − 1 = 85 × 22 → m = 85 and k = 2.

Pre-loop → T = 285 mod 341 = 32
k =1 → T = T2 mod 341 = 1 mod 341
Loop is broken because T = +1 → Composite (341 = 11 × 31)
 5

f. n = 349 → 349 − 1 = 87 × 22 → m = 87 and k = 2.

Pre-loop → T = 287 mod 349 = 213
k =1 → T = T2 mod 349 = 348 mod 349 = (−1) mod 349
Loop is broken because T = −1 → Pseudoprime (349 is actually a prime)

g. n = 2047 → 2047 − 1 = 1023 × 21 → m = 1023 and k = 1.

Pre-loop → T = 21023 mod 2047 = 1 mod 2047
T = +1 in the initialization step → Pseudoprime (but 2047 = 23 × 89)

In this case, the test declares the integer 2047 as a pseudoprime, which is actu-
ally a composite.
29.
a. We test the claim using (3 − 2)p mod p = (3p − 2) mod p with x = 3, a = 2, and
some small primes.
p=2 (3 − 2)2 mod 2 = 1 (32 − 2) mod 2 = 1
p=3 (3 − 2)3 mod 3 = 1 (33 − 2) mod 2 = 1
p=7 (3 − 2)5 mod 7 = 1 (37 − 2) mod 7 = 1

b. We also test the claim using x = 7, a = 3, and some primes.

p=2 (7 − 3)2 mod 2 = 0 (72 − 3) mod 2 = 0

p=5 (7 − 3)5 mod 5 = 4 (75 − 3) mod 5 = 4
p = 17 (7 − 3)17 mod 17 = 4 (717 − 3) mod 17 = 4

31.
a.
a1 = 2 m1 = 7 a2 = 3 m2 = 9 → M = 63
−1 −1
M1 = 9 M1 = 9 mod 7 = 4 ; M2 = 7 M2−1 = 7−1 mod 9 = 4
x = (2 × 9 × 4 + 3 × 7 × 4) mod 63 = 30

b.
a1 = 4 m1 = 5 a2 = 10 m2 =11 → M = 55
−1 −1
M1 = 11 M1 = 11 mod 5 = 1 ; M2 = 5 M2−1 = 5−1 mod 11 = 9
x = (4 × 11 × 1 + 10 × 5 × 9) mod 55 = 54

c.
a1 = 7 m1 = 13 a2 = 11 m2 =12 → M = 156 M1 = 12 M2 = 13
M1 = 12 M1−1 = 12−1 mod 13 = 12 ; M2 = 13 M2−1 = 13−1 mod 12 = 1
x = (7 × 12 × 12 + 11 × 13 × 1) mod 156 = 59
 6

33.
a. The integer 4 is a QR in Z7∗. Since 7 = 4 × k + 3 with k = 1, we can use the
following expressions to find the solutions.
x: 4(7 + 1)/4 mod 7 = 2 x: −4(7 + 1)/4 mod 7 = −2

b. The integer 5 is a QR in Z11∗. Since 11 = 4 × k + 3 with k = 2, we can use the

following expressions to find the two solutions:
x: 5(11 + 1)/4 mod 11 = 4 x: −5(11 + 1)/4 mod 11 = −4

c. The integer 7 is not a QR in Z13∗ (see Exercise 32). This equation has no solu-
tions.
d. The integer 12 is not a QR in Z17∗ (see Exercise 32). This equation has no
solutions.
35. We use tables based on Figure 9.7. We first calculate all powers of a’s.
a. y = 2124 mod 8 → a = 21, x = 24 = 110002. Shaded areas represent no moutipli-
cations. All calculations are in modulo 8. The answer is y = 1.
a’s xi y = 1 mod 8
a = 5 mod 8
1
0 y = 1 mod 8
a = 1 mod 8
2 0 y = 1 mod 8
a4 = 1 mod 8 0 y = 1 mod 8
a = 1 mod 8
8
1 y = 1 × 1 mod 8 = 1 mod 8
16
a = 1 mod 8 1 y = 1 × 1 mod 8 = 1 mod 8

The table shows that we can stop whenever axi becomes 1.

b. y = 32023 mod 461 → a = 320, x = 23 = 101112. Shaded areas represent no mul-
tiplications. All calculations are in modulo 461. The answer is y = 373.
a’s xi y = 1 mod 461
a1 = 320 mod 461 1 y = 1 × 320 mod 461 = 320 mod 461
a = 58 mod 461
2
1 y = 320 × 58 mod 461 = 120 mod 461
a = 137 mod 461
4 1 y = 120 × 137 mod 461 = 305 mod 461
a = 329 mod 461
8 0 y = 305 mod 461
a16 = 367 mod 461 1 y = 305 × 367 mod 461 = 373 mod 461
 7

c.
y = 177641 mod 2134 → a = 1776, x = 41 = 1010012. Shaded areas represent no
multiplications. All calculations are in modulo 2134. The answer is y = 698.
a’s xi y = 1 mod 2134
a1 = 1776 mod 2134 1 y = 1 × 1776 mod 2134 = 1776 mod 2134
2
a = 124 mod 2134 0 y = 1776 mod 2134
4
a = 438 mod 2134 0 y = 1776 mod 2134
8
a = 1918 mod 2134 1 y = 1776 × 1918 mod 2134 = 504 mod 2134
a16 = 1842 mod 2134 0 y = 504 mod 2134
32
a = 2038 mod 2134 1 y = 504 × 2038 mod 2134 = 698 mod 2134

d. y = 200135 mod 2000 → a = 2001, x = 35 = 1000112. Shaded areas represent no

multiplications. All calculations are in modulo 2001. The answer is y = 1.
a’s xi y = 1 mod 2000
a1 = 1 mod 2000 1 y = 1 × 1 mod 2000 = 1 mod 2000
a = 1 mod 2000
2 1 y = 1 × 1 mod 2000 = 1 mod 2000
a = 1 mod 2000
4
0 y = 1 mod 2000
a8 = 1 mod 2000 0 y = 1 mod 2000
a16 = 1 mod 2000 0 y = 1 mod 2000
a 32 = 1 mod 2000 1 y = 1 × 1 mod 2000 = 1 mod 2000

The table shows that we can stop whenever axi becomes 1.

37.
a. To solve the equation x5 ≡ 11 (mod 17), we need to find a primitive root in the
group G = <Z17∗, × > and the discrete logarithm table for that root. The first
primitive root in this group is 3 (primitive roots are 3, 5, 6, 7, 10, 11, 12, and
14). The discrete logarithm table for this root (base) can be found as
x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
L3 (x) 16 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8

We then apply the function L3 to both sides of the congruence. Note that the
working modulus is φ(17) = 16 and L3(11) = 7 (from the table).
L3 (x5) ≡ L3 (11) (mod 16) → 5 × L3 (x) ≡ 7 (mod 16) → 5 × L3 (x) ≡ 7 (mod 16)

Now we need to solve the congruence equation 5 × L3 (x) ≡ 7 (mod 16). Recall
from Chapter 2 that this equation has only one solution because gcd (5, 16) = 1.
 8

L3 (x) ≡ 5−1 × 7 (mod 16) ≡ 11 (mod 16)

Now we can use the table to find x if L3 (x) = 11; the answer is x = 7, which can be
checked as 75 ≡ 11 (mod 17). We can also write a program to test all of values of x
from 1 to 17 to see if any of this values satisfies the equation. We did so; the
only value is x = 7.
b. To solve the equation 2x11 ≡ 22 (mod 19) or 2x11 ≡ 3 (mod 19), we need to find
a primitive root in the group G = <Z19∗, × > and the discrete logarithm table for
that root. The first primitive root in this group is 2 (see Exercise 36). The dis-
crete logarithm table for this root (base) can be found as
x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
L2 x 18 1 13 2 16 14 6 3 8 17 12 15 5 7 11 4 10 9

We then apply the function L2 to both sides of the congruence. Note that the
working modulus is φ(19) = 18, L2(2) = 1 and L2(3) = 13.
L2 (2x11) ≡ L2 (3) (mod 18) → L2 (2) + 11 × L2 (x) ≡ L2 (3) (mod 18)
→ 1 + 11 × L2 (x) ≡ 13 (mod 18) → 11 × L2 (x) ≡ 12 (mod 18)

Now we need to solve the congruence equation 11 × y ≡ 12 (mod 18). Recall from
Chapter 2 that this equation has only one solution because gcd (11, 18) = 1.

11 × y ≡ 12 (mod 18) → y ≡ 11−1 × 12 (mod 18) ≡ 5 × 12 (mod 18) ≡ 6 (mod 18)

Now we can use the table to find x if L2 (x) = 6; the answer is x = 7, which can be
checked as 2 × 711 ≡ 3 (mod 19). We can also write a program to test all of values
of x from 1 to 19 to see if any of this values satisfies the equation. We did so;
the only value is x = 7.
c. The equation 5x12 + 6x ≡ 8 (mod 23) cannot be solved using the discrete loga-
rithm discussed in this chapter because there is no property of discrete loga-
rithm to allows us extract L (x) from L (5x12 + 6x). However, we can write a
program to test all of values of x from 1 to 22 to see if any of this values satis-
fies the equation. We did so, but find no value of x satisfying the congruence;
the congruence has no solution.
39. One million operations per second means 3,600,000,000 operations per hour.
a. The complexity of trial division method is exponential (2nb).

2nb = 3,600,000,000 → 2nb ≈ 232 nb ≈ 32

This means n < 232

b. The complexity of Fermat method is subexponential or 2p(log2nb). For simplicity,

we assume the complexity to be 2(log2nb)2.
 9

2(log2nb)2 = 3,600,000,000 → 2(log2nb)2 ≈ 232 → (log2nb)2 ≈ 32

→ (log2nb) ≈ 5.7 → nb ≈ 25.7 → 52
This means n < 252

c. The complexity of Polard rho method is exponential or (2nb/4).

2nb/4 = 3,600,000,000 → 2nb/4 ≈ 232 nb ≈ 128

This means n < 2128

d. The complexity here is eC where C = (lnn lnlnn)1/2. Since it is very difficult to

calculate n in this case, we assume that C = lnn)1/2 or C = (lnn).

elnn = 3,600,000,000 → lnn = 3,600,000,000

This means n < e3,600,000,000

e. The complexity here is eC where C = 2(lnn)1/3(lnlnn)2/3. Since it is very diffi-

cult to calculate n in this case, we assume that C = 2(lnn)1/3(lnn)2/3 = 2(lnn)

e2lnn = 3,600,000,000 → lnn = 1,800,000,000

This means n < e1,800,000,000

41.
Square_and_Multiply (a, x, n)
{
y ←1
for (i = nb −1 downto 0)
{
a ← a2 mod n
if (xi = 1)
y ← y × a mod n
}
return y
}

43.
FermatPrimalityTest (a, n) // We can use different bases
{
y ← Square_and_Multiply (a, n − 1, n) // See Algorithm 9.7 in the text
if (y = 1)
return (n is probably a prime)
return (n is a composite)
}
 10

45.
ChineseRemainderTheorem(k, a[1 … k], m[1 … k])
{
M←1
for (i = 1 to k)
M ← M × m[i]
for (i = 1 to k)
{
M[i] ← M / m[i]
InvM[i] ← M[i]−1 mod m[i]
}
x←0
for (i = 1 to k)
x ← [x + (a[i] × M[i] × InvM[i])] mod M
return x
}

47.
FindFirstPrimitiveRoot (p) // p is a prime
{
for (a = 2 to p −1)
{
i ←1
while (ai mod p ≠ 1)
{
i ←i +1
}
if (i = p − 1) // order a = φ(p)
return a
}
}

49.
FindAllDiscreteLogs (p) // p is a prime
{
PrimitiveRootList ← FindAllPrimitiveRoots (p) // See Exercise 48
Create a DiscreteLogTable sorted on y
for (each g in PrimitiveRootList)
{
for (x = 1 to p − 1)
{
y ← gx mod p
insert x to Lg row of DiscreteLogTable under y column
}
}
return DiscreteLogTable
}